From time to time people have this issue where HA will be unreachable because of an expired certification, while Duck DNS logs show a newer certificate.
This just happened to me too, and restarting NGINX solved it.
I’ve tried restarting HA, Duck DNS, clearing browser cache, but none of these worked, however restarting NGINX solved it on multiple devices.
This could be tested easily, but I couldn’t get the Duck DNS add-on to recreate the certificate while the old one is still active.
I don’t know how NGINX works, but I suspect it keeps the certification file it reads on startup, then if it runs long enough without restarting, it will expire.
That is often the case with services that use certificates.
A reload of the config is usually required to reread the certificate files. A restart is often not required, but will cause a reload too, obviously.
I understand.
This behavior is not stable.
It should either reload the config before the certificate is going to expire, or every X configurable days, etc.
Of course I can just set up an automation to restart NGINX every X days, but I would expect this to be handled automatically, especially how it’s not exactly trivial to figure out what is the problem when it happens.
It does not know when there is new certificates available. Let’s Encrypt recommend updating the certificates each month, but their certificates last 3 months.
Some of the other integrations might do this as an automation, like Let’s Encrypt or DuckDNS.
It probably also depends on the addon you’re using. I’m using NGINX Proxy Manager, which handles the LetsEncrypt certificates for you (no need for other addons). Since I’ve not had this issue over a long period of operation and rarely restarting the addon, I’m assuming it copes.
It also lets you request a new certificate through the UI while the current one is still active. And as a bonus, you can also set up other domains/subdomains that point to different local servers with their own certificates (if you’re into that sort of thing).
